On March 15, 2021, California’s Attorney General announced the adoption of updates to the regulations implementing the California Consumer Protection Act (“CCPA”).  The final (for now) regulations are available here. These latest updates are effective immediately.

The version that took effect yesterday is substantially identical to the draft updates that the Attorney General proposed on December 10, 2020.  (We discussed the December 2020 proposal in detail here.)  Notably, California at last now has an officially sanctioned form of an opt-out button . It looks like this:

By clicking the button, consumers can implement their CCPA right to tag their data “do not sell.” As of January 1, 2023, that right expands to include “do not share.”

The updated regulations also require businesses that collect personal information from customers offline to provide an easy, offline method for customers to opt out.  The regulations now require businesses which knowingly sell the personal information of consumers under 16 to include, in their consumer-facing policies, a description of the process for opting into the sale of this information.

The newly updated regulations make only one change of substance as compared to the December 2020 proposal: The Attorney General has removed a proposed clause that would have required the opt-out icon to be to the left of any text saying “Do not sell my personal information.”

To subscribe to the Data Blog, please click here.


Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.


Alexandra P. Swain is a Debevoise litigation associate. Her practice focuses on intellectual property, data privacy, and cybersecurity issues. She can be reached at apswain@debevoise.com.


H Jacqueline Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Practice Group. She can be reached at hjbrehmer@debevoise.com.


Anagha Sundararajan is an associate in the Litigation Department.